<!DOCTYPE html>
<html lang="en" country="us">
<head>

<style>.async-hide {
            opacity: 0 !important
        } </style>
<script data-cfasync="false">if (!window.location.hostname.match(/marketodesigner/i)) {
            (function (a, s, y, n, c, h, i, d, e) {
                s.className += ' ' + y;
                h.start = 1 * new Date;
                h.end = i = function () {
                    s.className = s.className.replace(RegExp(' ?' + y), '')
                };
                (a[n] = a[n] || []).hide = h;
                setTimeout(function () {
                    i();
                    h.end = null
                }, c);
                h.timeout = c;
            })(window, document.documentElement, 'async-hide', 'dataLayer', 1900,
                {'GTM-N8HXDD2': true})
        }</script>
<script data-cfasync="false" async src="https://www.googleoptimize.com/optimize.js?id=GTM-N8HXDD2" onerror="dataLayer.hide.end && dataLayer.hide.end()"></script>

<script data-cfasync="false">(function (w, d, s, l, i) {
            w[l] = w[l] || [];
            w[l].push({
                'gtm.start':
                    new Date().getTime(), event: 'gtm.js'
            });
            var f = d.getElementsByTagName(s)[0],
                j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : '';
            j.async = true;
            j.src =
                'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
            f.parentNode.insertBefore(j, f);
        })(window, document, 'script', 'dataLayer', 'GTM-5V5LPNC');</script>

<script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="3da5fa11e53f06b6c927eaf7-text/javascript" charset="UTF-8" data-domain-script=bee15b7c-b632-450e-9003-9c8b60b3b978></script>
<script type="3da5fa11e53f06b6c927eaf7-text/javascript">
    function OptanonWrapper() { }
</script>
<meta charset="UTF-8">
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta http-equiv="cleartype" content="on">
<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

<title>A Roaming Threat to Telecommunications Companies | CrowdStrike</title>
<meta name="description" content="Learn about recent LightBasin intrusion activities and why CrowdStrike Intelligence assesses that LightBasin will continue to target the telecommunications sector." />
<link rel="canonical" href="https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/" />
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="article" />
<meta property="og:title" content="A Roaming Threat to Telecommunications Companies | CrowdStrike" />
<meta property="og:description" content="Learn about recent LightBasin intrusion activities and why CrowdStrike Intelligence assesses that LightBasin will continue to target the telecommunications sector." />
<meta property="og:url" content="https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/" />
<meta property="og:site_name" content="crowdstrike.com" />
<meta property="article:publisher" content="https://www.facebook.com/CrowdStrike/" />
<meta property="article:published_time" content="2021-10-19T07:00:10+00:00" />
<meta property="article:modified_time" content="2021-10-20T19:06:35+00:00" />
<meta property="og:image" content="https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-7.jpeg" />
<meta property="og:image:width" content="1060" />
<meta property="og:image:height" content="698" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:creator" content="@CrowdStrike" />
<meta name="twitter:site" content="@CrowdStrike" />
<meta name="twitter:label1" content="Written by" />
<meta name="twitter:data1" content="Jamie Harries and Dan Mayer" />
<meta name="twitter:label2" content="Est. reading time" />
<meta name="twitter:data2" content="12 minutes" />
<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.crowdstrike.com/#website","url":"https://www.crowdstrike.com/","name":"crowdstrike.com","description":"Next-Generation Endpoint Protection","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.crowdstrike.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/#primaryimage","inLanguage":"en-US","url":"https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-7.jpeg","contentUrl":"https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-7.jpeg","width":1060,"height":698},{"@type":"WebPage","@id":"https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/#webpage","url":"https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/","name":"A Roaming Threat to Telecommunications Companies | CrowdStrike","isPartOf":{"@id":"https://www.crowdstrike.com/#website"},"primaryImageOfPage":{"@id":"https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/#primaryimage"},"datePublished":"2021-10-19T07:00:10+00:00","dateModified":"2021-10-20T19:06:35+00:00","author":{"@id":"https://www.crowdstrike.com/#/schema/person/466a64c302a00d23fe5d91cc87da41c8"},"description":"Learn about recent LightBasin intrusion activities and why CrowdStrike Intelligence assesses that LightBasin will continue to target the telecommunications sector.","breadcrumb":{"@id":"https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/"]}]},{"@type":"BreadcrumbList","@id":"https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"LightBasin: A Roaming Threat to Telecommunications Companies"}]},{"@type":"Person","@id":"https://www.crowdstrike.com/#/schema/person/466a64c302a00d23fe5d91cc87da41c8","name":"Jamie Harries and Dan Mayer","image":{"@type":"ImageObject","@id":"https://www.crowdstrike.com/#personlogo","inLanguage":"en-US","url":"http://0.gravatar.com/avatar/6801c57cf9147f52f97bca7428645810?s=96&d=mm&r=g","contentUrl":"http://0.gravatar.com/avatar/6801c57cf9147f52f97bca7428645810?s=96&d=mm&r=g","caption":"Jamie Harries and Dan Mayer"},"url":"https://www.crowdstrike.com/blog/author/jamie-harries-and-dan-mayer/"}]}</script>

<link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/header/megamenu-content.json" as="json"><link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/header/top-nav.json" as="json"><link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/data/blog/blog-nav.json" as="json"><link rel='stylesheet' id='single-post.min.css-css' href='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/pages/single-post.min.css?ver=5.8.1' type='text/css' media='all' />
<link rel='stylesheet' id='theme-styles-css' href='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/theme-styles.min.css?ver=5.8.1' type='text/css' media='screen' />
<link rel='stylesheet' id='tablepress-default-css' href='https://www.crowdstrike.com/wp-content/tablepress-combined.min.css?ver=2' type='text/css' media='all' />
<script type="3da5fa11e53f06b6c927eaf7-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/fetch-inject.js?ver=5.8.1' id='fetch-inject-js'></script>
<script type="3da5fa11e53f06b6c927eaf7-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-navigation.min.js?ver=5.8.1' id='blog-navigation-js'></script>
<script type="3da5fa11e53f06b6c927eaf7-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-categories.min.js?ver=5.8.1' id='blog-categories-js'></script>
<script type="3da5fa11e53f06b6c927eaf7-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-category-sidebar.min.js?ver=5.8.1' id='blog-category-sidebar-js'></script>
<link rel='shortlink' href='https://www.crowdstrike.com/?p=45566' />
<link rel="icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" sizes="32x32" />
<link rel="icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" />
<meta name="msapplication-TileImage" content="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" />
</head>
<body class="post-template-default single single-post postid-45566 single-format-standard lang-en ">

<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5V5LPNC&nojs=1"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

<script type="application/ld+json">
    {
        "@context": "http://schema.org",
        "@type": "Organization",
        "name": "CrowdStrike",
        "url": "http://www.crowdstrike.com",
        "logo": "http://www.crowdstrike.com/wp-content/img/cs_logo.png",
        "sameAs": [
            "http://www.facebook.com/CrowdStrike/",
            "http://www.twitter.com/CrowdStrike/",
            "https://plus.google.com/101967380457820256808/",
            "http://www.linkedin.com/company/crowdstrike",
            "http://www.youtube.com/user/CrowdStrike"
        ]
    }
</script>
<div data-id="wistia_player_embed"></div>
<div id="modal-mask" class="modal_insert_location">
<div class="container">
<div class="row">
<div class="col-lg-12">
<div id="modal-inner-mask" class="modal_mask">
<div class="close_button"><i id="modal-close" class="fa fa-close"></i></div>
<div id="modal-insert" class="modal_content"></div>
</div>
</div>
</div>
</div>
</div><div id="blogNavInsertLocation"></div>
<div class="cs_page_container ">
<div class="search_modal">
<div class="cs_header_container search_modal__section centered">

<input type="text" id="addsearchfield" class="addsearch" disabled="disabled" placeholder="Search" />
<script type="3da5fa11e53f06b6c927eaf7-text/javascript" async="async" src="https://addsearch.com/js/?key=7737a29b854de71521b1cd72c4118cfc"></script>
</div>
</div>
<header id="megaMenu" class="cs_main_menu 0">
<div id="headerPromobar"></div>
<nav class="header_top_menu">
<div class="cs_header_container centered">
<div id="megamenu_top_insert" class="menu_inner_section"></div>
</div>
</nav>
<nav class="header_bottom_menu">
<div class="mega_menu">
<div class="cs_header_container centered mega_menu__header">
<div class="header_logo">
<a href="/">
<svg width="173px" height="32px" viewBox="0 0 173 32" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="Homepage" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="Home" transform="translate(-72.000000, -7240.000000)" fill="#FEFEFE">
<g id="Group-24" transform="translate(72.000000, 7240.000000)">
<g id="Group-7" transform="translate(13.000000, 3.526700)">
<path d="M14.5154,12.2448 L14.5154,11.9378 L11.9154,9.6998 L11.6124,9.6998 C10.8974,10.4898 9.7934,11.0818 8.5584,11.0818 C6.6304,11.0818 5.1134,9.6118 5.1134,7.5938 C5.1134,5.5758 6.6304,4.1058 8.5584,4.1058 C9.7934,4.1058 10.8974,4.6978 11.6124,5.4878 L11.9154,5.4878 L14.5154,3.2498 L14.5154,2.9428 C13.1504,1.2758 11.0064,0.2008 8.5794,0.2008 C4.1174,0.2008 0.7384,3.3598 0.7384,7.5938 C0.7384,7.7578 0.7754,7.9088 0.7864,8.0698 C2.6124,9.3118 4.2244,10.3058 5.6124,11.2158 C7.6134,12.4818 9.2284,13.6468 10.5584,14.7298 C12.2164,14.3108 13.5604,13.4018 14.5154,12.2448 M2.3674,12.1658 C3.4094,13.4458 4.8804,14.3638 6.6154,14.7558 C5.4434,14.0968 4.3084,13.4498 3.2514,12.7338 C2.9414,12.5418 2.6654,12.3558 2.3674,12.1658" id="Fill-1"></path>
<path d="M29.571,14.0437 L28.921,11.2357 L28.683,11.0817 C28.553,11.1477 28.445,11.2357 28.12,11.2357 C27.621,11.2357 27.318,10.7087 27.058,10.2927 C26.625,9.6337 26.278,9.2827 25.975,9.1297 C27.556,8.4277 28.618,7.1117 28.618,5.2247 C28.618,2.3067 26.625,0.4637 22.921,0.4637 L16.465,0.4637 L16.465,14.7237 L20.754,14.7237 L20.754,9.7217 L21.144,9.7217 C22.097,9.7217 23.311,11.7837 23.874,12.7057 C25.044,14.5707 25.975,14.9867 27.643,14.9867 C28.423,14.9867 29.073,14.7017 29.463,14.3507 L29.571,14.0437 Z M24.242,5.4657 C24.242,6.4097 23.549,6.8697 22.747,6.8697 L20.754,6.8697 L20.754,3.9737 L22.747,3.9737 C23.549,3.9737 24.242,4.5007 24.242,5.4657 L24.242,5.4657 Z" id="Fill-3"></path>
<path d="M46.1426,7.5939 C46.1426,3.3599 42.7636,0.2009 38.2796,0.2009 C33.7946,0.2009 30.4156,3.3599 30.4156,7.5939 C30.4156,11.8279 33.7946,14.9869 38.2796,14.9869 C42.7636,14.9869 46.1426,11.8059 46.1426,7.5939 M41.7666,7.5939 C41.7666,9.6339 40.2066,11.0819 38.2796,11.0819 C36.3516,11.0819 34.7916,9.6339 34.7916,7.5939 C34.7916,5.5539 36.3516,4.1059 38.2796,4.1059 C40.2066,4.1059 41.7666,5.5539 41.7666,7.5939" id="Fill-5"></path>
</g>
<polygon id="Fill-8" points="80.6103 3.9906 76.5163 3.9906 73.9813 11.8886 71.2953 3.9906 68.6963 3.9906 66.0313 11.8446 63.4973 3.9906 59.4023 3.9906 59.2073 4.3196 64.4503 18.2506 67.0493 18.2506 69.9953 10.4846 72.9633 18.2506 75.5633 18.2506 80.8053 4.3196"></polygon>
<path d="M96.5105,11.0987 C96.5105,6.8427 93.6725,3.9907 89.0585,3.9907 L82.4945,3.9907 L82.4945,18.2507 L89.0585,18.2507 C93.6725,18.2507 96.5105,15.3987 96.5105,11.0987 M92.1345,11.1207 C92.1345,13.4457 90.7695,14.7407 88.8855,14.7407 L86.7835,14.7407 L86.7835,7.5007 L88.8855,7.5007 C90.7695,7.5007 92.1345,8.7957 92.1345,11.1207" id="Fill-9"></path>
<polygon id="Fill-11" points="119.2316 7.5008 123.5206 7.5008 123.5206 3.9908 110.6536 3.9908 110.6536 7.5008 114.9426 7.5008 114.9426 18.2508 119.2316 18.2508"></polygon>
<path d="M137.233,8.7513 C137.233,5.8333 135.24,3.9903 131.536,3.9903 L125.08,3.9903 L125.08,18.2503 L129.37,18.2503 L129.37,13.2483 L130.388,13.2483 L133.052,18.2503 L137.32,18.2503 L137.515,17.9213 L134.655,12.6343 C136.193,11.9103 137.233,10.6163 137.233,8.7513 M132.857,8.9923 C132.857,9.9363 132.164,10.3963 131.362,10.3963 L129.37,10.3963 L129.37,7.5003 L131.362,7.5003 C132.164,7.5003 132.857,8.0273 132.857,8.9923" id="Fill-12"></path>
<polygon id="Fill-14" points="139.832 18.2507 144.121 18.2507 144.121 3.9907 139.832 3.9907"></polygon>
<polygon id="Fill-15" points="154.9957 10.3747 159.8477 4.3197 159.6527 3.9907 155.0827 3.9907 151.1177 9.0587 151.1177 3.9907 146.8287 3.9907 146.8287 18.2507 151.1177 18.2507 151.1177 13.8627 151.8977 12.9417 155.5377 18.2507 160.0217 18.2507 160.2167 17.9217"></polygon>
<polygon id="Fill-16" points="161.3862 3.9903 161.3862 18.2513 172.1732 18.2513 172.1732 14.7413 165.6742 14.7413 165.6742 12.7663 170.5702 12.7663 170.5702 9.4753 165.6742 9.4753 165.6742 7.5013 172.1092 7.5013 172.1092 3.9903"></polygon>
<g id="Group-23" transform="translate(0.000000, 0.526700)">
<path d="M103.7658,17.8933 C106.9078,17.8933 109.6348,16.3583 109.6348,13.3983 C109.6348,10.1723 106.8858,9.3383 104.4598,8.6363 C103.5058,8.3513 102.5298,8.0213 102.5298,7.3193 C102.5298,6.8143 103.0718,6.5073 103.8958,6.5073 C105.3048,6.5073 106.4958,7.3853 107.1018,7.9563 L107.4048,7.9563 L109.4188,5.5433 L109.4188,5.2363 C108.3578,4.0303 106.1928,3.1093 103.8088,3.1093 C100.4728,3.1093 98.1568,4.9073 98.1568,7.5173 C98.1568,10.3263 100.7108,11.5553 102.8768,12.1693 C104.2858,12.5643 105.2408,12.6303 105.2408,13.3983 C105.2408,13.9473 104.5678,14.2763 103.5268,14.2763 C102.2048,14.2763 100.6028,13.4203 99.8238,12.6523 L99.5208,12.6523 L97.5288,15.1533 L97.5288,15.4603 C98.8058,16.8853 101.1008,17.8933 103.7658,17.8933" id="Fill-17"></path>
<path d="M29.8197,30.9998 C28.7807,28.6218 26.6937,25.5708 18.5177,21.2138 C14.7477,19.1178 8.3067,15.8908 2.5137,9.7578 C3.0387,11.9718 5.7287,16.8368 17.2987,22.9118 C20.5027,24.6648 25.9207,26.3088 29.8197,30.9998" id="Fill-19"></path>
<path d="M29.298,26.9271 C28.312,24.1171 26.532,20.5191 18.091,15.1751 C13.98,12.4811 7.945,9.0981 0,0.4731 C0.568,2.7981 3.078,8.8441 15.73,16.6931 C19.886,19.5091 25.25,21.2461 29.298,26.9271" id="Fill-21"></path>
</g>
</g>
</g>
</g>
</svg> </a>
</div>
<div id="megaSearch" data-id="search" class="search_btn fa-search"></div>
<div id="csMobileMenuBtn" class="mobile_menu_btn"><span></span></div>
<div class="mega_menu__content">
<ul id="megamenu_bottom_nav_insert" class="mega_menu__links"></ul>
<div id="megamenu_bottom_nav_content" class="mega_menu__body"></div>
</div>
</div>
</div>
</nav>
</header>
<div class="cs_page_content">
<div class="mobile_nav_section">
<div class="mobile_nav_content">
<div id="megamenu_mobile_main_nav" class="list_items_content"></div>
</div>
</div>
<div class="cs_main_section">
<main class="main">
<article>
<div class="container">
<div class="row">
<div class="col-12 col-lg-8">
<h1>LightBasin: A Roaming Threat to Telecommunications Companies</h1>
<div class="publish_info">
<p>October 19, 2021</p> <a href="https://www.crowdstrike.com/blog/author/jamie-harries-and-dan-mayer/" title="Posts by Jamie Harries and Dan Mayer" rel="author">Jamie Harries and Dan Mayer</a> <ul class="post-categories">
<li><a href="https://www.crowdstrike.com/blog/category/from-the-front-lines/" rel="category tag">From The Front Lines</a></li></ul> </div>
<div class="post_image"><img width="1060" height="698" src="https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-7.jpeg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" srcset="https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-7.jpeg 1060w, https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-7-300x198.jpeg 300w, https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-7-1024x674.jpeg 1024w, https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-7-768x506.jpeg 768w" sizes="(max-width: 1060px) 100vw, 1060px" /></div>
<div class="blog_content">
<ul>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">CrowdStrike Intelligence assesses that LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.</span></li>
</ul>
<h2><span style="font-weight: 400;">Background</span></h2>
<p><span style="font-weight: 400;">CrowdStrike Services, CrowdStrike Intelligence and Falcon OverWatch&#x2122; have investigated multiple intrusions within the telecommunications sector from a sophisticated actor tracked as the LightBasin activity cluster, also publicly known as UNC1945. Active since at least 2016, LightBasin employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems,<sup>1</sup></span><span style="font-weight: 400;"> and only interacting with Windows systems as needed. LightBasin’s focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems that are typically in place on Windows operating systems within an organization.</span></p>
<p><span style="font-weight: 400;">LightBasin managed to initially compromise one of the telecommunication companies in a recent CrowdStrike Services investigation by leveraging external DNS (eDNS) servers — which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants. CrowdStrike identified evidence of at least 13 telecommunication companies across the world compromised by LightBasin dating back to at least 2019.</span></p>
<h2><span style="font-weight: 400;">GPRS eDNS Servers</span></h2>
<p><span style="font-weight: 400;">LightBasin initially accessed the first eDNS server via SSH from one of the other compromised telecommunications companies, with evidence uncovered indicative of password-spraying attempts using both extremely weak and third-party-focused passwords (e.g., </span><code><span style="font-weight: 400;">huawei</span></code><span style="font-weight: 400;">), potentially helping to facilitate the initial compromise. Subsequently, LightBasin deployed their SLAPSTICK PAM backdoor on the system to siphon credentials to an obfuscated text file. As part of early lateral movement operations to further their access across the network, LightBasin then pivoted to additional systems to set up more SLAPSTICK backdoors.</span></p>
<p><span style="font-weight: 400;">Later, LightBasin returned to access several eDNS servers from one of the compromised telecommunications companies while deploying an ICMP traffic signalling implant tracked by CrowdStrike as PingPong under the filename </span><code><span style="font-weight: 400;">/usr/bin/pingg</span></code><span style="font-weight: 400;">, with persistence established through the modified SysVinit script </span><code><span style="font-weight: 400;">/etc/rc.d/init.d/sshd</span></code><span style="font-weight: 400;"> through the following additional line:</span></p>
<pre><code>cd /usr/bin &amp;&amp; nohup ./pingg &gt;/dev/null 2&gt;&amp;1 &amp;</code></pre>
<p><span style="font-weight: 400;">This implant waits for a magic ICMP echo request, which, when sent to the system, established a TCP reverse shell to an IP address and port specified within the magic packet. The </span><code><span style="font-weight: 400;">/bin/bash</span></code><span style="font-weight: 400;"> process spawned by PingPong masquerades under the process name </span><code><span style="font-weight: 400;">httpd</span></code><span style="font-weight: 400;">.</span></p>
<p><span style="font-weight: 400;">eDNS servers are usually protected from general external internet access by firewalls; the magic packet that PingPong listens for would most likely have to be sent from other compromised GPRS network infrastructure. CrowdStrike Services observed reverse shells that had been spawned from this implant, which communicated with a server owned by a different compromised telecommunications company in another part of the world — typically connecting to the remote system on TCP port 53, which is the port primarily used for DNS. These efforts further indicate the actor’s continued attempts to disguise their activity as legitimate traffic.</span></p>
<p><span style="font-weight: 400;">Alongside the deployment of the PingPong implant, LightBasin added </span><code><span style="font-weight: 400;">iptables</span></code><span style="font-weight: 400;"> rules to the eDNS server that ensured SSH access to the server from five of the compromised telecommunications companies. The actor also replaced the legitimate </span><code><span style="font-weight: 400;">iptables</span></code><span style="font-weight: 400;"> binary with a trojanized version (SHA256: </span><code><span style="font-weight: 400;">97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb</span></code><span style="font-weight: 400;">) that would filter out output from </span><code><span style="font-weight: 400;">iptables</span></code><span style="font-weight: 400;"> that included the first two octets of the IP addresses belonging to the compromised telecommunications companies. These actions make it more difficult for administrators and analysts to identify the firewall rules through review of</span><code><span style="font-weight: 400;"> iptables</span></code><span style="font-weight: 400;"> output alone. Indicators relating to this utility are highlighted in Table 1.</span></p>
<table class="orange">
<tbody>
<tr class="top-row bg-orange">
<td><strong>File Path</strong></td>
<td><strong>Description</strong></td>
</tr>
<tr>
<td><code><span style="font-weight: 400;">/usr/local/sbin/iptables</span></code></td>
<td><span style="font-weight: 400;">Trojanized </span><code><span style="font-weight: 400;">iptables</span></code><span style="font-weight: 400;"> binary that replaced legitimate version &#8211; SHA256: </span><code><span style="font-weight: 400;">97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb</span></code></td>
</tr>
<tr>
<td><code>/usr/sbin/iptablesDir/iptables</code></p>
<p><code>/usr/sbin/iptablesDir/iptables-apply</code></p>
<p><code>/usr/sbin/iptablesDir/iptables-batch</code></p>
<p><code>/usr/sbin/iptablesDir/iptables-multi</code></p>
<p><code>/usr/sbin/iptablesDir/iptables-restore</code></p>
<p><code>/usr/sbin/iptablesDir/iptables-save</code></td>
<td><span style="font-weight: 400;">Legitimate </span><code><span style="font-weight: 400;">iptables</span></code><span style="font-weight: 400;"> binaries in a non-standard directory that are invoked by the trojanized version</span></td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><span style="font-weight: 400;">Table 1. Trojanized and legitimate iptables file details</span></p>
<h2><span style="font-weight: 400;">Serving GPRS Support Node (SGSN) Emulation</span></h2>
<p><span style="font-weight: 400;">LightBasin uses a novel technique involving the use of SGSN emulation software to support C2 activities in concert with TinyShell. SGSNs are essentially GPRS network access points, and the emulation software allows the adversary to tunnel traffic via this telecommunications network.</span></p>
<p><span style="font-weight: 400;">TinyShell is an open-source Unix backdoor used by multiple adversaries; however, LightBasin uniquely combined this implant with the publicly available SGSN emulator </span><span style="font-weight: 400;"><code>sgsnemu</code><sup>2</sup></span><span style="font-weight: 400;"> through a bash script. This script constantly ran on the system, but only executed certain steps between 2:15 and 2:45 UTC each day. This window was specified via command-line arguments. During this window, the script performed the following steps in a loop:</span></p>
<ol>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Execute TinyShell</span> <span style="font-weight: 400;">to communicate with an actor-controlled C2 IP address hosted by the virtual private server (VPS) provider Vultr.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Add a route to the TinyShell C2 on the interface </span><code><span style="font-weight: 400;">tun0</span></code><span style="font-weight: 400;">.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Check for connectivity to the TinyShell C2 via</span> <code><span style="font-weight: 400;">ping</span></code><span style="font-weight: 400;">.</span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">If connectivity to the IP address fails, the script executes the SGSN emulator in a loop, attempting to connect to a set of nine pairs of International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network (MSISDN) numbers that are used as arguments to the SGSN emulator. These numbers are required to generate Packet Data Protocol (PDP) context requests for connection to a Gateway GPRS Support Node (GGSN), which will then forward traffic to the C2 IP address. Once a connection is established, the SGSN emulator creates a connection to the GGSN via the GPRS Tunnelling Protocol (GTP), and utilizes the interface <code>tun0</code> for the connection. The TinyShell implant then uses <code>tun0</code>, as mentioned above.<sup>3</sup></span></li>
<li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">If a successful connection has not been made by the end of the 30-minute window, the script kills both the SGSN emulator and the TinyShell implant.</span></li>
</ol>
<p><span style="font-weight: 400;">In short, the SGSN emulator is used to tunnel TinyShell C2 traffic between the C2 server and the infected host via GTP through a GGSN.<sup>4</sup> The script is used as a persistence mechanism; it runs continually, but attempts to establish a tunnel to each of the specified mobile stations, which, in turn, act as tunnels to the TinyShell C2 server. The script runs for only 30 minutes each day, culminating in a similar effect to a scheduled job. </span></p>
<p><span style="font-weight: 400;">CrowdStrike Intelligence assesses that this sophisticated form of C2 is likely an OPSEC measure. This assessment carries moderate confidence, as GTP-encapsulated TinyShell C2 traffic is less anomalous within the environment of a global mobile communications network due to its use of a protocol native to the telecommunications infrastructure that is compromised. Additionally, GTP-encapsulated traffic is potentially subject to less inspection and restrictions by network security solutions.</span></p>
<h2><span style="font-weight: 400;">Additional Malware and Utilities</span></h2>
<p><b>CordScan:</b><span style="font-weight: 400;"> This executable is a network scanning and packet capture utility that contains built-in logic relating to the application layer of telecommunications systems, which allows for fingerprinting and the retrieval of additional data when dealing with common telecommunication protocols from infrastructure such as SGSNs. SGSNs could be targets for further collection by the adversary, as they are responsible for packet data delivery to and from mobile stations and also hold location information for registered GPRS users. CrowdStrike identified multiple versions of this utility, including a cross-compiled version for systems running on ARM architecture, such as Huawei’s commercial CentOS-based operating system EulerOS. </span></p>
<p><span style="font-weight: 400;">LightBasin’s ability to fingerprint various brands of telecommunications products and compile tools for various architectures likely indicates robust research and development capabilities to target vendor-specific infrastructure commonly seen in telecommunications environments. This range of capability would also be consistent with a signals intelligence organization with a need to respond to collection requirements against a diverse set of target environments.</span></p>
<p><b>SIGTRANslator:</b><span style="font-weight: 400;"> This executable provides LightBasin with the ability to transmit data via telecommunication-specific protocols, while monitoring the data being transmitted. SIGTRANslator is a Linux ELF binary capable of sending and receiving data via various SIGTRAN protocols, which are used to carry public switched telephone network (PSTN) signaling over IP networks. This signaling data includes valuable metadata such as telephone numbers called by a specific mobile station. Data transmitted to and from SIGTRANslator via these protocols is also sent to a remote C2 host that connects to a port opened by the binary. This allows the remote C2 server to siphon data flowing through the binary and send data to SIGTRANslator from the C2 to be re-sent via a SIGTRAN protocol.</span></p>
<p><span style="font-weight: 400;">Notably, data that is sent to and from the remote C2 is encrypted with the hard-coded XOR key <code>wuxianpinggu507</code>. This Pinyin translates to &#8220;unlimited evaluation 507&#8221; or &#8220;wireless evaluation 507.&#8221; &#8220;Wireless evaluation&#8221; is likely the correct translation, as the malware is targeting telecommunications systems. The identification of a Pinyin artifact indicates the developer of this tool has some knowledge of the Chinese language; however, CrowdStrike Intelligence does not assert a nexus between LightBasin and China. </span></p>
<p><b>Fast Reverse Proxy:</b><span style="font-weight: 400;"> This open-source utility is a reverse proxy used by LightBasin to permit general access to the eDNS server via an actor-controlled C2 IP address hosted by the VPS provider Vultr.</span></p>
<p><b>Microsocks Proxy</b><span style="font-weight: 400;">: This open-source utility is a lightweight SOCKS5 proxy server, typically used by LightBasin to pivot to systems internally.</span></p>
<p><b>ProxyChains:</b><span style="font-weight: 400;"> This open-source utility is capable of chaining proxies together and forcing network traffic through said chain of proxies, even if the program generating the traffic does not have proxy support. It utilizes a configuration file to specify proxies in use. The recovered configuration file contained a mixture of local IP addresses, IP addresses belonging to Vultr, and IP addresses belonging to eight different telecommunication organizations from around the world.</span></p>
<p><span style="font-weight: 400;">Some of the tools and TTPs observed by CrowdStrike Services during investigations deviate from the more sophisticated, OPSEC-aware behavior of LightBasin observed in the past, such as by not encrypting binaries using LightBasin&#8217;s binary packer publicly known as STEELCORGI. The tools and TTPs cataloged in this blog post were observed in congruence with the the usage of SLAPSTICK on select eDNS servers at the start of the intrusion, as well as during periods of strong time correlation, when SSH access from multiple compromised telecommunications company and artifacts indicative of LightBasin tool usage overlapped.</span></p>
<h2><span style="font-weight: 400;">Recommendations</span></h2>
<p><span style="font-weight: 400;">It is not surprising that servers would need to communicate with one another as part of roaming agreements between telecommunications companies; however, LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required. As such, the key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP.</span></p>
<p><span style="font-weight: 400;">If already the victim of a LightBasin intrusion, simply restricting network traffic will not solve the problem as LightBasin has displayed the ability to utilize common telecommunications protocols such as GTP for command and control. In this event, CrowdStrike recommends an </span><a href="https://www.crowdstrike.com/services/am-i-breached/incident-response/"><span style="font-weight: 400;">incident response investigation </span></a><span style="font-weight: 400;">that includes the review of all partner systems alongside all systems managed by the organization itself. Similarly, if an organization wishes to determine whether they’ve fallen victim to LightBasin, any compromise assessment must also include a review of all of the aforementioned systems.</span></p>
<p><span style="font-weight: 400;">Further, as it is a common situation where parts of the network may in fact be managed by a third-party managed service provider as opposed to the telecommunications company itself, an evaluation of security controls in place with the partner should be undertaken to ensure that the systems are sufficiently protected. CrowdStrike Services investigations commonly reveal a lack of any monitoring or security tooling on telecommunications core network systems. While the deployment of security tooling to real-time operating systems is generally limited, other Unix-based operating systems that support the core telecommunications network services are typically targeted by LightBasin and should have some basic security controls and logging in place (e.g., SSH logging forwarded to a SIEM, </span><a href="https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/"><span style="font-weight: 400;">endpoint detection and response (EDR)</span></a><span style="font-weight: 400;"> for process execution, file integrity monitoring (FIM) for recording file changes of key configuration files). It is also important to ensure that appropriate incident response plans are in place that take into account situations involving partner-managed systems within the network in the event that such an incident is identified. This </span><a href="https://www.crowdstrike.com/cybersecurity-101/incident-response"><span style="font-weight: 400;">incident response plan </span></a><span style="font-weight: 400;">should contain the roles and responsibilities of third-party managed service providers to ensure acquisition of forensic artifacts from third-party equipment not directly under the management of the telecommunication operator themselves.</span></p>
<p><span style="font-weight: 400;">Finally, given that companies within the telecommunications vertical are extensively targeted by highly advanced state-sponsored adversaries on a constant basis, these organizations need to have access to up-to-date and comprehensive threat intelligence resources so they can understand the threats facing the industry. This intelligence should also provide insights into the TTPs of adversaries that telecommunications companies are likely to encounter, across both the corporate network and critical telecommunications infrastructure, so that these insights can then be used to further augment detection mechanisms and inform on decisions regarding existing security controls.</span></p>
<h2><span style="font-weight: 400;">Conclusion</span></h2>
<p><span style="font-weight: 400;">Securing a telecommunications organization is by no means a simple task, especially with the partner-heavy nature of such networks and the focus on high-availability systems; however, with the clear evidence of a highly sophisticated adversary abusing these systems and the trust between different organizations, focusing on improving the security of these networks is of the utmost importance. Given the significant intelligence value to any state-sponsored adversary that’s likely contained within telecommunications companies, CrowdStrike expects these organizations to continue to be targeted by sophisticated actors, further underscoring the criticality of securing all aspects of telecommunications infrastructure beyond simply focusing on the corporate network alone.</span></p>
<h2><span style="font-weight: 400;">Indicators of Compromise</span></h2>
<table class="orange">
<tbody>
<tr class="top-row bg-orange">
<td><strong>Indicator</strong></td>
<td><strong>SHA256 Hashes</strong></td>
<td><strong>Description</strong></td>
</tr>
<tr>
<td><code>/usr/bin/pingg</code></td>
<td><code>e9c0f00c34dcd28fc3cc53c9496bff863b81b06723145e106ab7016c66581f72</code></p>
<p><code>4668561d60daeb7a4a50a9c3e210a4343f92cadbf2d52caab5684440da6bf562</code></td>
<td>PingPong Implant</td>
</tr>
<tr>
<td><code>/usr/lib/om_proc</code></td>
<td><code>3a259ad7e5c19a782f7736b5ac50aac4ba4d03b921ffc6a3ff6a48d720f02012</code></p>
<p><code>65143ccb5a955a22d6004033d073ecb49eba9227237a46929495246e36eff8e1</code></td>
<td>Microsocks Proxy</td>
</tr>
<tr>
<td><code>/usr/lib/frpc</code></td>
<td><code>05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006</code></p>
<p><code>16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2</code></td>
<td>Fast Reverse Proxy</td>
</tr>
<tr>
<td><code>/usr/lib/frpc.ini</code></td>
<td>N/A</td>
<td>Fast Reverse Proxy Configuration</td>
</tr>
<tr>
<td><code>/usr/lib/cord.lib</code></p>
<p><code>/usr/lib/libcord.so</code></p>
<p><code>/usr/bin/libcord.so</code></td>
<td><code>6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0</code></p>
<p><code>c5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d</code></p>
<p><code>9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc</code></p>
<p><code>4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181</code></p>
<p><code>ad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689</code></td>
<td>CordScan &#8211; Telecommunications Scanning Utility</td>
</tr>
<tr>
<td><code>/home/<strong>REDACTED</strong>/cordscan_raw_arm</code></td>
<td><code>cdf230a7e05c725a98ce95ad8f3e2155082d5a6b1e839c2b2653c3754f06c2e7</code></td>
<td>CordScan &#8211; Telecommunications Scanning Utility (ARM Architecture)</td>
</tr>
<tr>
<td><code>/usr/lib/javacee</code></td>
<td><code>917495c2fd919d4d4baa2f8a3791bcfd58d605ee457a81feb52bc65eb706fd62</code></td>
<td>SIGTRANslator</td>
</tr>
<tr>
<td><code>/usr/lib/sgsnemu</code></p>
<p><code>/usr/bin/sgsnemu</code></p>
<p><code>/usr/lib/sgsnemu_bak</code></td>
<td><code>bf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8</code></p>
<p><code>78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c</code></p>
<p><code>b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6</code></td>
<td>SGSN Emulator</td>
</tr>
<tr>
<td><code>/usr/lib/tshd</code></td>
<td><code>a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3</code></td>
<td>TinyShell</td>
</tr>
<tr>
<td><code>/home/<strong>REDACTED</strong>/win7_exp/proxychains.conf</code></p>
<p><code>/usr/lib/win7_exp/proxychains.conf</code></td>
<td>N/A</td>
<td>ProxyChains Configuration</td>
</tr>
<tr>
<td><code>/var/tmp/.font-unix</code></td>
<td>N/A</td>
<td>SLAPSTICK Credential Output File</td>
</tr>
<tr>
<td><code>/usr/local/sbin/iptables</code></td>
<td><code>97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb</code></td>
<td>Trojanized Iptables</td>
</tr>
<tr>
<td><code>/usr/sbin/iptablesDir/</code></p>
<p><code>/sbin/iptablesDir/</code></td>
<td>N/A</td>
<td>Threat Actor-created directories containing legitimate copies of iptables utilities following installation of trojanized version</td>
</tr>
<tr>
<td><code>45.76.215.0/24</code></td>
<td>N/A</td>
<td>Vultr IP range used by LightBasin</td>
</tr>
<tr>
<td><code>167.179.91.0/24</code></td>
<td>N/A</td>
<td>Vultr IP range used by LightBasin</td>
</tr>
<tr>
<td><code>45.32.116.0/24</code></td>
<td>N/A</td>
<td>Vultr IP range used by LightBasin</td>
</tr>
<tr>
<td><code>207.148.24.0/24</code></td>
<td>N/A</td>
<td>Vultr IP range used by LightBasin</td>
</tr>
<tr>
<td><code>172.104.79.0/24</code></td>
<td>N/A</td>
<td>Linode IP range used by LightBasin</td>
</tr>
<tr>
<td><code>45.33.77.0/24</code></td>
<td>N/A</td>
<td>Linode IP range used by LightBasin</td>
</tr>
<tr>
<td><code>139.162.156.0/24</code></td>
<td>N/A</td>
<td>Linode IP range used by LightBasin</td>
</tr>
<tr>
<td><code>172.104.236.0/24</code></td>
<td>N/A</td>
<td>Linode IP range used by LightBasin</td>
</tr>
<tr>
<td><code>172.104.129.0/24</code></td>
<td>N/A</td>
<td>Linode IP range used by LightBasin</td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><span style="font-weight: 400;">Table 2. LightBasin indicators of compromise</span></p>
<h2><span style="font-weight: 400;">Endnotes</span></h2>
<ol>
<li><span style="font-weight: 400;"> Key examples of telecommunications-specific systems targeted include systems involved in the GPRS network such as External DNS (eDNS) servers, Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU).</span></li>
<li><span style="font-weight: 400;"> https[:]//osmocom[.]org/projects/openggsn/wiki/Sgsnemu</span></li>
<li><span style="font-weight: 400;">Correction at 3 p.m. EST 10/20/2021: Clarified the methodology through which an SGSN emulator creates a GTP-encapsulated connection to an IP address.</span></li>
<li>Ibid.</li>
</ol>
<h4><span style="font-weight: 400;">Additional Resources</span></h4>
<ul>
<li><em><span style="font-weight: 400;">Read </span><a href="https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/"><span style="font-weight: 400;">How CrowdStrike Falcon Stops REvil Ransomware Used in the Kaseya Attack</span></a><span style="font-weight: 400;"> in the CrowdStrike blog.</span></em></li>
<li><em><span style="font-weight: 400;">Download the </span><a href="https://www.crowdstrike.com/resources/reports/global-threat-report/"><span style="font-weight: 400;">CrowdStrike 2021 Global Threat Report</span></a><span style="font-weight: 400;"> for more information about adversaries tracked by CrowdStrike Intelligence in 2020.</span></em></li>
<li><em><span style="font-weight: 400;">See how the powerful, cloud-native </span><a href="https://www.crowdstrike.com/endpoint-security-products/"><span style="font-weight: 400;">CrowdStrike Falcon® platform</span></a><span style="font-weight: 400;"> protects customers from DarkSide ransomware in this blog: </span><a href="https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/"><span style="font-weight: 400;">DarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected</span></a><span style="font-weight: 400;">.</span></em></li>
<li><em><a href="https://go.crowdstrike.com/try-falcon-prevent.html"><span style="font-weight: 400;">Get a full-featured free trial of CrowdStrike Falcon Prevent&#x2122; </span></a><span style="font-weight: 400;">and learn how true next-gen AV performs against today’s most sophisticated threats.</span></em></li>
</ul>
</div>
<style>
    .list-share-buttons{
        margin-bottom: 40px;
        margin-left: auto;
    }

    .share-button {
        float: left;
        color: #999;
        border: 1px solid #e4e4e4;
        text-align: center;
        transition: all 0.15s ease;
        margin-right: 5px;
        margin-bottom: 40px;
        margin-left: auto;
        font-size: 13px;
        padding: 0.5em 0.9em;
    }

    .tweet-btn{
        color: #999999;
    }
    .li-btn{
        color: #999999;
    }
    .tweet-btn:hover{
        color: #1DA1F2;
    }

    .li-btn:hover{
        color: #2867B2;
    }

    .fa{
        margin-right:5px;
    }

</style>
<div>
<ul class="list-share-buttons">

<li class="share-button">
<a class="tweet-btn " target="_blank" rel="noopener noreferrer" href="https://twitter.com/share?text=LightBasin%3A+A+Roaming+Threat+to+Telecommunications+Companies&amp;url=https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/" onclick="if (!window.__cfRLUnblockHandlers) return false; window.open(this.href, '_blank', 'menubar=no,toolbar=no,resizable=yes,scrollbars=yes,height=600,width=600');" data-cf-modified-3da5fa11e53f06b6c927eaf7-="">
<span class="fa fa-twitter"></span>
<span>Tweet</span>
</a>
</li>

<li class="share-button">
<a class="li-btn" target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/&amp;title=LightBasin%3A+A+Roaming+Threat+to+Telecommunications+Companies" onclick="if (!window.__cfRLUnblockHandlers) return false; window.open(this.href, '_blank', 'menubar=no,toolbar=no,resizable=yes,scrollbars=yes,height=600,width=600');" data-cf-modified-3da5fa11e53f06b6c927eaf7-="">
<span class="fa fa-linkedin"></span>
<span>Share</span>
</a>
</li>
</ul>
</div>
<a href="https://go.crowdstrike.com/try-falcon-prevent.html">
<img class="post_cta" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/images/blog/breaches-stop-here-post-cta.jpeg">
</a>
<h5>Related Content</h5>
<div class="row recent_articles">
<a class="col-12 col-md-4 recent_articles_item" href="/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-5.jpeg" alt="">
</div>
<div class="post_info">
<h6>Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense</h6>
<div class="excerpt">Today’s security defenders are faced with a continuously evolving battleground. The number of security vulnerabilities uncovered annually has grown every year for the past four years. Moreover, adversaries’ ability to rapidly weaponize these vulnerabilities continues to improve.  In particular, vulnerabilities affecting ubiquitous software, such as productivity applications and collaboration software, are likely to be met [&hellip;]</div>
</div>
</a>
<a class="col-12 col-md-4 recent_articles_item" href="/blog/the-myth-of-part-time-threat-hunting-part-2/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698-3.jpeg" alt="">
</div>
<div class="post_info">
<h6>The Myth of Part-time Threat Hunting, Part 2: Leveraging the Power of Human Ingenuity</h6>
<div class="excerpt">The race between hunter and hunted is defined as much by stealth as it is by speed. In Part 2 of this two-part blog series, we dive into why having hunters immersed full time in the threat hunting mission is critical to building out a hunting program capable of detecting stealthy and novel tradecraft before [&hellip;]</div>
</div>
</a>
<a class="col-12 col-md-4 recent_articles_item" href="/blog/introducing-supermem-free-incident-response-tool/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/09/Blog_1060x698.jpeg" alt="">
</div>
<div class="post_info">
<h6>SuperMem: A Free CrowdStrike Incident Response Tool for Automating Memory Image Processing</h6>
<div class="excerpt">Performing memory analysis in incident response investigations can be tedious and challenging because of the lack of commercial options for processing memory samples, no all-in-one open-source tools to process samples, and a shortage of the knowledge and skill to do so. Recognizing this, CrowdStrike Services created SuperMem, an open-source Windows memory processing script that helps [&hellip;]</div>
</div>
</a>
</div>
</div>
<div class="col-12 col-lg-4 sidebar">
<div class="blog_subsection">
<div class="blog_section_subtitle">
<div class="title">Categories</div>
</div>
</div>
<div class="blog_featured_category_list" id="blog_category_sidebar_item"></div>
<div class="social">
<h6>Connect with Us</h6>
<div class="social_icons">
<a href="https://www.twitter.com/CrowdStrike"><span class="fa fa-twitter"></span></a>
<a href="https://www.facebook.com/CrowdStrike"><span class="fa fa-facebook"></span></a>
<a href="https://www.linkedin.com/company/crowdstrike"><span class="fa fa-linkedin"></span></a>
<a href="https://www.youtube.com/user/CrowdStrike"><span class="fa fa-youtube-play"></span></a>
<a href="https://www.crowdstrike.com/blog/feed"><span class="fa fa-rss"></span></a>
</div>
</div>
<a class="free_trial_sidebar" href="https://go.crowdstrike.com/try-falcon-prevent.html">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/07/breaches-stop-here.jpeg">
</a>
<div id="sideBarFeaturedArticles"></div>
<div class="subscribe_cta">
<h6>SUBSCRIBE</h6>
<p>Sign up now to receive the latest notifications and updates from CrowdStrike.</p>
<a class="button white-text white-outline white-text-hover dark-red-background-hover dark-red-outline-hover" data-behavior="modal" data-template-id="modal-42284" href="#">Sign Up</a>
</div>
<div class="demo_cta">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/07/red-falcon.svg">
<h6>See CrowdStrike Falcon in Action</h6>
<p>Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection.</p>
<a class="button white-text red-background red-outline white-text-hover dark-red-background-hover dark-red-outline-hover" href="https://www.crowdstrike.com/see-demo/">See Demo</a>
</div>
</div>
</div>
<div class="post_nav row">
<div class="col-12">
<div class="links"><span class="fa fa-angle-double-left"></span> <a href="https://www.crowdstrike.com/blog/improving-performance-and-reliability-of-microservices-communication-with-grpc/" rel="prev">Improving Performance and Reliability of Internal Communication Among Microservices: The Story Behind the Falcon Sandbox Team’s gRPC Journey</a></div>
<div class="links"><a href="https://www.crowdstrike.com/blog/log-management-vs-siem-see-how-security-solutions-compare/" rel="next">Log Management vs. SIEM: See How Security Solutions Compare</a> <span class="fa fa-angle-double-right"></span></div>
</div>
</div>
</div>
</article>
<section id="freeTrialCta" class="blog-free-trial-cta">
<div class="container">
<div class="row">
<div class="col-12">
<div class="content">
<h1 class="free-trial-header">TRY CROWDSTRIKE FREE FOR 15 DAYS</h1>
<a class="button white-text red-background red-outline white-text-hover dark-red-background-hover dark-red-outline-hover" id="freeTrialOpenTrigger" href="#">GET STARTED WITH A FREE TRIAL</a>
</div>
</div>
</div>
</div>
<div id="freeTrialContent" class="free-trial-content-wrapper unstuck" style="display: none;">
<div class="container">
<p class="free-trial-close textright white"><a class="free-trial-close-trigger red" id="freeTrialCloseTrigger">X</a></p>
</div>
<div class="container free-trial-iframe-wrapper">
<iframe id="footer-form-frame" height="490" width="800" src="https://go.crowdstrike.com/WF-Trial-to-Pay_LP-Registration-Footer.html" class=""></iframe>
</div>
</div>
</section>
<script type="3da5fa11e53f06b6c927eaf7-text/javascript">
    fetchInject([
        'https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/pages/blog.min.js',
    ])
</script> </main>
<footer class="simple">
<div class="container">
<div class="row">
<div class="col-md-12 top">
<span class="footer-logo"><a class="red" href="https://www.crowdstrike.com"><i class="cs-icon-cs-logo"> </i></a></span>
<ul class="row social-links">
<li class="circle-icon-outline">
<a href="https://twitter.com/CrowdStrike" target="_blank"><i class="fa fa-twitter"></i></a></li>
<li class="circle-icon-outline">
<a href="https://www.facebook.com/CrowdStrike/" target="_blank"><i class="fa fa-facebook"></i></a>
</li>
<li class="circle-icon-outline">
<a href="https://www.linkedin.com/company/crowdstrike" target="_blank"><i class="fa fa-linkedin"></i></a>
</li>
<li class="circle-icon-outline">
<a href="http://www.youtube.com/user/CrowdStrike" target="_blank"><i class="fa fa-youtube-play"></i></a>
</li>
</ul>
</div>
<div class="col-md-12 bottom">
<ul class="row footer-lower-links">
<li class="footer-copyright">Copyright © 2021 CrowdStrike</li>
<li><a href="https://www.crowdstrike.com/privacy-notice/">Privacy</a></li>
<li><a href="https://www.crowdstrike.com/request-information/">Request Info</a></li>
<li><a href="https://www.crowdstrike.com/blog">Blog</a></li>
<li><a href="https://www.crowdstrike.com/contact-us/">Contact Us</a></li>
<li>1.888.512.8906</li>
</ul>
</div>
</div>
</div>
</footer>
</div>
</div>
</div>
<script type="3da5fa11e53f06b6c927eaf7-text/javascript" async="async" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/theme-scripts.min.js?ver=5.8.1' id='theme-scripts-js'></script>
<script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="3da5fa11e53f06b6c927eaf7-|49" defer=""></script></body>
</html>